CIVI-SA-2026-24: RCE via File API

Published
2026-06-15 20:04
Written by

In the File API, there was inscufficent validation of the uri field to prevent path transversal. This is a follow up to CIVI-SA-2026-01

Security Risk
Critical
Vulnerability
Arbitrary PHP Code Execution
Affected Versions

CiviCRM v6.15.2 and earlier

Fixed Versions

CiviCRM v6.15.3, v6.10.7 (ESR), and later

Publication Date
Solutions

Upgrade to a fixed version of CiviCRM

Credits

Lassi (lassitemp@proton.me), Seamus Lee (JMA Consulting), Coleman Watts (CiviCRM)